2009-05-27

Analysis of Adobe RTMPE

A recently published analysis of RTMPE comes to the conclusion that, although the algorithm "provides end-to-end secrecy in exactly the same way that SSL provides end-to-end secrecy, it provides no security and uses no authentication of any kind." Nowhere is a secret key, a password or even a pass phrase required in order to decrypt the content: only a 32-byte hash value plus the size of the SWF file and publicly exchanged information, specifically the last 32 bytes of the first response from the streaming server, are involved.

Following this line of argument, it could be concluded that RTMPE is only a proprietary streaming protocol with encrypted transmission. It seems at least questionable whether Adobe could call this a circumvention of copy protection and thus be in a position to invoke the DMCA and prevent distribution of the software.